Russia-Linked Cyberspies Target Google Accounts

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The advanced persistent threat (APT) actor is also known as APT28, Fancy Bear, TG-4127, Strontium, Sofacy, Sednit and Tsar Team. It is one of the two supposedly Russian threat groups believed to have breached the systems of the U.S. Democratic National Committee (DNC).

Shortly after news broke that Russian hackers had targeted DNC systems, researchers at SecureWorks reported that Pawn Storm had attempted to steal credentials associated with nearly 4,000 Gmail accounts between October 2015 and May 2016. The list of targets included people working for or associated with the DNC and Hillary Clinton’s presidential campaign.

A new report published this week by SecureWorks details an earlier spear phishing campaign that targeted over 1,800 Google accounts. While many of them belonged to people in Russia and former Soviet Union states, some of the targets were current and former government and military personnel in the United States and Europe, and foreign authors and journalists interested in Russia.

“The range of targets demonstrates that the threat group poses a broad threat to individuals and groups associated with U.S. politics, to organizations and individuals in the government and defense verticals, and to those whose business involves commenting on Russia,” SecureWorks researchers noted.

In this campaign, attackers used a domain named “accoounts-google.com” to trick users into handing over their Google credentials. A link to this phishing website was disguised using the Bit.ly URL shortening service and sent via email to targeted individuals.

An analysis of the targeted accounts revealed that Pawn Storm was mostly after information on Russia’s military involvement in eastern Ukraine. Attackers also attempted to hack into the accounts of journalists, advocacy groups and human rights organizations in Russia, and political, military and diplomatic targets in former Soviet countries.

Outside Russia and the former Soviet Union, attackers targeted military personnel, authors and journalists, NGOs, people involved in government and defense supply chains, government personnel, aerospace researchers, aviation professionals and political activists. A majority of the government and military targets were from the United States and NATO member countries.

Researchers discovered nearly 4,400 phishing URLs sent to the owners of more than 1,800 Google accounts between March and September 2015. An analysis of the URLs showed that 59 percent of them were clicked, but it’s unclear how many users actually took the bait.

While many of the accounts received multiple phishing URLs, roughly one-third of them were only targeted once and 60 percent of these recipients clicked the malicious link, which could indicate that they were successfully compromised.

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.